Trend Micro researchers said on Tuesday that the cryptocurrency mining malware is now exploiting a recently-disclosed Atlassian Confluence remote code execution (RCE) vulnerability, which was only made public in August this year. Tracked as CVE-2021-26084, the vulnerability impacts Confluence server versions 6.6.0, 6.13.0, 7.4.0, and 7.12.0. Issued a CVSS severity score of 9.8, the critical security flaw is an Object-Graph Navigation Language (ONGL) injection vulnerability that can be exploited to trigger RCE – and is known to be actively exploited in the wild. The vulnerability was reported by Benny Jacob through Atlassian’s bug bounty program. z0Miner, a Trojan and cryptocurrency mining bundle, has been updated to exploit the RCE, as well as Oracle’s WebLogic Server RCE (CVE-2020-14882) an ElasticSearch RCE (CVE-2015-1427), Jenkins, and other code execution bugs in popular server software. Once a vulnerable server has been found and the vulnerability has been used to obtain remote access, the malware will deploy a set of webshells to install and execute malicious files, including a .dll file disguised as a Hyper-V integration service, as well as a scheduled task that pretends to be a legitimate .NET Framework NGEN task. The task will attempt to download and execute malicious scripts from a repository on Pastebin, but as of now, the URL has been pulled. These initial actions are aimed at maintaining persistence on an infected machine. In its second-stage payload deployment, z0Miner will then scan and destroy any competing cryptocurrency miners installed on the server, before launching its own – a miner that steals computing resources to generate Monero (XMR). A patch has been released to resolve CVE-2021-26084, and as threat actors will always seek to exploit new bugs for their own ends – the Microsoft Exchange Server attacks being a prime example – vulnerable systems should always be updated with new security fixes as quickly as possible by IT administrators.
Previous and related coverage
170 Android cryptocurrency mining scam apps steal $350 000 from usersDoes cybercrime impact cryptocurrency prices? Researchers find outThousands of PS4s seized in Ukraine in illegal cryptocurrency mining sting
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0